Wandering Thoughts archives

2005-08-14

Weekly spam summary for August 13th, 2005

Overall SMTP connections are running at twice the expected rate, at 246,000 SMTP connections although only from the usual 33,000 different IP address. The SMTP frontend hit a highwater of 18 simultaneous connections during the week.

Kernel level IP filtering:

Host/Mask           Packets   Bytes
204.50.22.50          11909    572K
170.206.225.64         8186    393K
66.237.19.76           8148    391K
192.35.251.3           7206    346K
218.102.53.0/24        6916    330K
219.144.0.0/13         5395    262K
212.216.176.0/24       4953    257K
220.160.0.0/11         4875    238K
202.96.0.0/12          4774    245K
61.128.0.0/10          4627    226K

This week is an impressive one for individual accomplishment; we had some very determined would-be callers. 170.206.225.64 got into our IP level filtering by being in dnsbl.njabl.org; everyone else was very eager to give us a bad SMTP HELO greeting. 170.206.225.64 made a prior appearance in SpamAftermath-2005-07-30; 192.35.251.3 showed up all the way back in IPReject-2005-06-18.

Connection-time rejections run:

 24776 total
 11386 dynamic IP
  8050 bad or no reverse DNS
  1347 class bl-spews
  1284 class bl-cbl
   573 class bl-dsbl
   506 class bl-ordb
   372 class bl-sbl
   264 class bl-njabl
    67 class bl-sdul
     4 class bl-opm

These are up somewhat over last week. Unlike last week, there are no really big single sources that account for the jump in SPEWS.

On the unscientific basis of the number of different places sending us bad HELO greetings and SMTP bounces to nonexistent local users, we are being very actively forged as a spam origin once again. The numbers are up dramatically from last week:

what # this week (distinct IPs) # last week (distinct IPs)
Bad HELOs 17830 679 3392 197
Bad bounces 5818 2568 1471 878

Other systems show (if anything) a semi-significant decrease in spam and bounces.

spam/SpamSummary-2005-08-13 written at 01:34:14; Add Comment

Those amusing Referer spammers

One form of blog spam is 'Referer' spam. Referer is the (optional) HTTP header included in requests from web browsers to web servers that contains the web page that the link to your page was on. Some blog software uses this header as a lower-tech version of Trackback.

Referer spam has the attraction for the spammers that it's dirt simple to do. All their software has to do is to make an ordinary HTTP request for a page or three on a web site and throw in a Referer header. No need to talk XML to a specific URL or anything like that.

As a result, Referer spammers appear willing to hit any web site without bothering to check whether their attempts work (this is like many mass attacks on the Internet; when the cost of the attack is so low, why bother being clever?). So, of course, they've wound up hitting CSpace.

Amusingly, so far the Referer spammers have only been hitting WanderingThoughts' spam category index page. Spammers (futilely) trying to leave Referer spam on a web page about spam; now that's irony.

What I suspect is that the Referer spammers are doing Google searches for web pages that already mention spam domains (perhaps particular ones), as a quick crude way of finding vulnerable web pages. Most of the time this works out okay, but it gets tripped up by web pages that discuss spam domains.

An analysis of my spammer

Looking at recent Referer spam, I got spam for excellent-health.com, casino-attraction.com, and cash-net.biz. Although they claim to be registered to different bogus places, they all seem to touch base with something variously called 'support2000.net', 'support-2000.net', and 'top-support.net'. They also all use the same two nameservers under various names, at the IP addresses 64.27.27.150 and 64.234.220.141.

64.27.27.0/24 is owned by 'Uplink Systems' under 'Hollywood Interactive, Inc' and is routed by ATMLINK (AS7796). 64.234.220.141 is part of a large WebStream Inc block and is SBL listed (SBL17672), for being in a /25 labeled as owned by Traffix.

The web sites themselves are all currently hosted at the IP address 64.4.195.62, part of 'ANET Internet Solutions' in the US, and its /27 is listed in the SBL as SBL24359 for being part of the Rokso-listed 'Brian Kramer / Expedite Media Group' grouping.

The IP addresses making the Referer spam requests don't seem to be listed in any DNS blocklist I routinely look at.

Some quick Googling suggests that these domains also engage in other sorts of blog spam, and that all three of these IP addresses are already well known for their spam involvement. (Yet they remain connected. Such is today's Internet, unfortunately.)

spam/AmusingRefererSpammers written at 00:56:09; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.